Skip to Content
Technical Articles

Connect Ping Identity to SAP Cloud Platform Identity Authentication Service

In this blog post, we will explore how to establish trust between your SAP Identity Authentication Service and Ping Identity as a corporate identity provider.

Once the connection between your Ping Identity (PingOne) and the SAP Cloud Platform Identity Authentication Service (IAS) is done, you can simply use it to connect it to several applications and environments.

Note: the article contains third party information about Ping Identity, which may change in the future.

Prerequisites

  1. You have an active license for SAP Cloud Platform Identity Authentication Service.
  2. ‘Manage Applications’ and ‘Manage Corporate Identity Providers’ authorizations are assigned to you as Administrator in IAS.
  3. You have access to the PingOne admin console.

Step 1: Log in to PingOne admin console and create SAML 2.0 application

Log in to the PingOne admin console by going to https://admin.pingone.com/web-portal/login and provide your credentials.

Click on ‘Connections‘ tab – ‘Applications‘ option.

Note: in PingID there is no predefined SAP Cloud Platform Identity Authentication Service application, you have to create and configure it manually.

In the ‘New Application‘ part, choose ‘Web App‘ as application type, and ‘SAML‘ as connection type:

As part of the application creation, you can define a custom application name, description, and logo. Click the ‘Next‘ button.

Step 2: Configure the SAML Connection in PingOne

In this step, you have to fill in the SAML settings (metadata) taken from your SAP Cloud Platform Identity Authentication Service tenant. Please pay special attention to all steps taken in this part.

ACS URL:

To get the URL value, follow steps:

  1. Open Identity Authentication Service (IAS) Admin Console: https://<tenantid>.accounts.ondemand.com/admin
  2. Navigate to ‘Tenant Settings’ tile. Click on ‘SAML2.0 Configuration’.
  3. Copy ‘Assertion Consumer Service Endpoint’ (ACS endpoint) URL.
    Assertion%20Consumer%20Service%20Endpoint%20taken%20from%20SAP%20IAS

Copy-paste this URL as ACS URL.

Leave ‘PingOne SSO Certificate for Administrators environment‘ as the signing certificate, with default ‘Assertion’ signing, and ‘RSA_SHA256‘ algorithm. I left encríption by default: Disabled.

Entity ID:

This value has to be the same as the ‘Name’ value of your IAS tenant.

To get the URL, follow steps:

  1. Open IAS Admin Console: https://<tenantid>.accounts.ondemand.com/admin
  2. Navigate to ‘Tenant Settings’ tile. Click on ‘SAML2.0 Configuration’.

Copy value of the ‘Name’ field.

Note: Make sure the audience matches exactly as described in KBA 2693814 – Service Provider does not match specified audience in the SAML2Assertion.

You can copy-paste the other settings from your IAS tenant’s SAML2.0 Configuration:

https://<tenantid>.accounts.ondemand.com/saml2/idp/sso/<tenantid>.accounts.ondemand.com
https://<tenantid>.accounts.ondemand.com/saml2/idp/sso/<tenantid>.accounts.ondemand.com
HTTP POST 
https://<tenantid>.accounts.ondemand.com
Disabled
No Verification Certificates Selected
At the ‘Attribute mapping‘, you can use User ID as a nameid:

Step 3: Download Identity Provider metadata file from PingOne

In PingOne, navigate to the ‘Connections‘ tab, then click ‘Applications‘, select the created application. At ‘Configuration‘, ‘Connection details‘, ‘Download metadata‘, click on ‘Download‘ button to download the metadata in .xml format.

Step 4: Configure trust in the Identity Authentication Service

In this scenario, SAP Cloud Platform Identity Authentication service acts as a proxy to delegate the authentication to the corporate identity provider. For more information check our official SAP documentation: Configure Trust with Corporate Identity Provider.

To use Identity Authentication Service as a proxy to delegate authentication to an external corporate identity provider you have to configure trust with that corporate identity provider.

To configure trust with the corporate identity provider, follow the procedures below:

Import the downloaded PingOne metadata (from Step 3) into Identity Authentication Service:

  1. Open IAS Admin Console: https://<tenantid>.accounts.ondemand.com/admin
  2. Navigate to ‘Corporate Identity Providers’ in the submenu of ‘Identity Providers’.
  3. Add Identity Provider with a custom name.
  4. Choose SAML 2.0 Configuration and import metadata:

All the required details are filled in:

Save the configuration.

As a tenant administrator, you can specify a link that is sent as an extension in the SAML 2.0 Logout Response. The link can be used by the application to redirect the user after successfully logging out of the application when Identity Authentication acts as an identity provider proxy. See our official documentation: Service Provider Initiated Logout with Corporate Identity Providers.

Navigate to the ‘Trust’ tab and choose the ‘Logout Redirect URL‘ option. Define the desired URL where you want to redirect end-users after successful logout.

Step 5: Connect your application to use PingOne as the identity provider

In the Admin Console of your IAS, navigate to ‘Applications & Resources’ then click on the ‘Applications’ tab and configure an application or choose an existing one.

Option A: Click on the ‘Conditional Authentication’ option on the ‘Trust’ tab of your application. Set your PingOne as ‘Default Identity Provider‘.

For more information see our official documentation: Choose a Corporate Identity Provider as Default.

Option B: Set ‘Trust all corporate Identity Providers’ on. In this case, you should define Conditional Authentication to redirect users to PingID.

For more information see: Configure Conditional Authentication for an Application

 

Summary

After following the above steps, your application should use PingOne as a corporate identity provider, and in this case, IAS is acting as a proxy.

Hint: If you are facing issues during configuration, you can download the Troubleshooting logs from your IAS tenant to self-investigate the root cause of the issue. See KBA 2942816 – How to export troubleshooting logs from Identity Authentication Service.

Also, we advise checking the IAS Guided Answers about the most common issues: KBA 2701851 – SAP Cloud Platform Identity Authentication Service (IAS) – Guided Answers.

Be the first to leave a comment
You must be Logged on to comment or reply to a post.